Daniel Kalchev (daniel) writes:
>> DNSSEC is not some magical technology that just solves "the problems".
>> On this, I am with Doug, that "if there is a high price for doing it
> wrong less people will do it wrong".
Couple more things. a) Local policy allows you not to enable validation
*at all* in the first place. b) Validating caching resolvers will be
around for many more years, but if you can, validate on the client/
application. The closer, the better. If we stop at the current state
of things, we haven't done our job. If NTAs help, so be it.